AnsweredAssumed Answered

Improving confidence in packet decoding

Question asked by KEVIN DIENST on Sep 27, 2016
Latest reply on Dec 28, 2016 by Thomas Jones

Background:

We have several packet decoders that receive traffic from Gigamon. That system has aggregators and taps that feed into it and provide us the raw packet traffic. Our IDS sensors receive the same feeds. 

 

Problem:

We have reports, fairly consistently (several per week) that an IDS sensor will fire but when SA is used to try to identify the session related to that event, we're unable to find it. 

 

Anyone in the RSA Link universe have tips for tackling this problem? Management wants 100% certainty that our packet decoders have all the traffic that IDS has, but if our feeds are the same the only problem I can see is with SA, but I've investigated the following for each incident. 

 

Checked decoder performance stats (assembler pages, dropped packets, capture rate, pool pages)

Decoder system stats (CPU, memory, disk I/O, network bandwidth)

Reviewed local logs (app and system) for any irregularities

Checked app rules

Checked parsers

Checked taps are correct

Checked Gigamon feeds are correct

 

I just have run out of ideas. No clue how to increase the reliability of our decoder processing. 

 

Thanks

Outcomes